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© Cryptographic communication method and cryptographic communication device. 



© A cryptographic communication method com- 
prises a step for carrying out cryptographic commu- 
nication between a sending station (1A, 1B, 1C) and 
one or more receiving stations (2A, 2B, 2C) by using 
(1) a ciphertext (C) formed by encrypting a unit of 
sending information under the intervention of at least 



a cryptographic key (K) and (2) key-distribution-in- 
formation (Y) produced by using at least the cipher- 
text (C), receiving station's public information, and 
randomized information (r, r1 ) generated in the send- 
ing station (1A, 1B, 1C). 
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BACKGROUND OF THE INVENTION 

1 . Field of the invention 

The present invention relates to a cryptograph- 
ic communication method for communicating by 
using cryptography and a cryptographic commu- 
nication device for implementing the method, and 
in particular to a cryptographic communication 
method and device for securely distributing a cryp- 
tographic key. 

2. Description of Background 

Recently, many methods for protecting data 
with cryptography or authenticating the data have 
been researched and utilized for transmitting a data 
through an insecure communication path in which a 
third party can eavesdrop or alter a message. 

The cryptography is classified into two kinds: a 
common key cryptosystem and public key cryp- 
tosystem. In particular, public key cryptography is 
suitable for a key sharing protocol and a digital 
signature. For example, the Rivest Shamir Adleman 
(RSA) cryptosystem and the Diffie-Hellman (DH) 
cryptosystem are commomly known. 

When cryptographic communication is imple- 
mented by secret-key cryptosystem, a sender and 
a receiver have to share a common cryptographic 
key in advance. For sharing a common key, public 
key technique can be used. For example, the DH 
method ( W.Diffie & M.E. Hellman, "New Directions 
in Cryptography n IEEE Trans, on Information The- 
ory, IT-22, 6, pp.644-645, June 1976 ) being popu- 
lar is the oldest one. 

The DH method is a key distribution method 
between two users based on the difficulty of the 
disclete logarithm. That is, it is difficult to find an 
integer x for a given g, y and p t which satisfies the 
following equation. 

y = g x mod p (x and g are both integers) 



On the other hand, it is easy to calculate y for 
a given integers x,g, and p. 

After the DH method is proposed, many im- 
proved cryptographic key sharing methods have 
been proposed. For example, in some key distribu- 
tion methods, a key to be shared changes every 
time or an authentication function for authenticating 
the sender is added. Moreover, methods in which a 
group of two or more persons can communicate 
among them by distributing a key have been pro- 
posed. 

Ito et al. proposed an improved key distribution 
method ( T.lto, T.Habutsu, I.Sasase, S.Mori "One- 
Way Key Distribution System Based on Identifica- 



tion Information Without Public Information Direc- 
tory B , Lecture Notes No. A-283. pp.1-283, National 
Conference of the Institute of Electronics Informa- 
tion and Communication Engineers, March, 1990). 
s This method has the following properties: authen- 
tication of the public key is provided. The key 
changes for each communication and the commu- 
nication required for the key distribution is one-way 
from the sender to the receiver. The key distribu- 
70 tion method realized in the one-way communication 
like the above proposition is suitable for a commu- 
nication system in which the transmission delay is 
relatively large. Such a communication system is, 
for example, for an electronic mail system. 
;s Moreover, as mentioned in the Ito's paper, the 

one-way key distribution method might have an 
opportunity to be extended for sharing a key 
among three or more persons if the shared key 
depends only on random numbers generated by 
20 the sender. 

The Ito method is shown abstractly in Fig. 1. 
As shown in Fig. 1, a cryptographic key K is 
generated in a key generating section 111 of a 
sending station 101 under the control of a random 
25 number r generated in a random number generat- 
ing section 112. Then, a message M is encrypted 
under intervention of the cryptographic key K in an 
encrypting section 113. The encrypted message C 
is sent to a receiving station 102. Also, a unit of 
30 key-distribution-information Y is generated in a key- 
distribution-information generating section 114 by 
using both the random number r and the public 
information PK. The key-distribution-information Y 
is also sent to the receiving station 102. 
35 In the receiving station 102, the cryptographic 

key K is restored by using the key-distribution- 
information Y and secret information SK of the 
receiving station 102 in a key restoration section 
115. Then, the encrypted message C is decrypted 
40 to provide the plain message M under intervention 
of the restored key K in a decrypting section 116. 

In the above configuration, when a key K is 
sent from the sender 101 to the receiver 102. the 
key-distribution-information Y must satisfy two 
45 functions as follows: 

A. an authentication function in which the re- 
ceiver 1 02 can authenticate that the key- 
distribution-information Y has been positively 
sent from a first station ( that is, from the sender 

so 101 ). 

B. a confidentiality function for reliably sending 
the key Y to a specific receiver only. Besides 
the Ito method, many types of key distribution 
methods which realizes the above two functions 

55 are available. For example, in the RSA cryp- 
tograph, the authentication function is embodied 
by the digital signature and the confidentiality 
function is realized by encryption. 
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In more detail, by using a receiver encrypting 
function Er, a sender decryption function Ds, and a 
hash function h, the key distribution can be em- 
bodied. For example, the key-distribution-informa- 
tion Y is generated from the key K as shown by the 
following equation. 

Y = Er(K, Ds( h(K))) 

Where, the function Ds(h(K)) indicates the sender 
digital signature for the key. 

The receiver 102 who has already received the 
key-distribution-information Y decrypts the informa- 
tion Y by using his own decry ptoin function Dr so 
that the key K and the sender digital signature are 
obtained as shown by the following equation: 

K,Ds(h(K)) = Dr(Y). 



Moreover, the receiver 102 confirms the signa- 
ture by using a sender encrypting function Es. 

This method is used for sharing the key K 
between two persons. This method must be secure 
so long as the cryptographic key K will never be 
revealed to anyone else. 

However, in the above method, some attack 
will be successful in two cases as follows. 

A first case occurs when the used key K is 
revealed to a third party by some means after the 
cryptographic communication. That is, when an at- 
tacker knows the key-distribution-information Y, a 
encrypted mail C, and the cryptographic key K 
which is used for encrypting a message M to 
create the encrypted mail C, the attacker can en- 
crypt a message M' by using the cryptographic 
key K to make a encrypted mail C\ and then send 
both the information Y and the encrypted mail C to 
the receiver 102. In this case, the receiver feels 
that the message lvT has been sent from a true 
sender 101. 

A second case occurs when the above method 
is extended to a key distribution method imple- 
mented among three or more persons as follows. 

When defining a sender s and a plurality of 
receivers r1, r2,~ , rj t the sender s prepares key- 
distribution-information Yi for the receiver ri by 
using an encryption function Eri of the receiver ri 
(i = 1, 2, --, j) as Yi = Eri(K,Ds(h(K))). 
Thereafter, the receiver ri, who has received the 
key-distribution-information Yi, recovers the cryp- 
tographic key K, while authenticating that the send- 
er is the true sender s in the same manner as the 
key distribution between two persons. 

In this case, after the key distribution is carried 
out among a group of three or more persons, one 
of the receivers can impersonate the sender s to 
send a message M' to another receiver. Everyone 



belonging to the group can impersonate the sender 
s for the same reason as the first case because 
they know that the key corresponding to the key- 
distribution-information Yi (i = 1 , 2, — , j) is K. 

5 

SUMMARY OF THE INVENTION 

It is a first object of the present invention to 
provide a cryptographic communication method in 

10 which the sharing key is easily changed in contrast 
to the DH method so that the impersonation attack 
carried out by resending the key distribution in- 
formation in the sharing key method between two 
persons or among three or more persons can be 

75 prevented. Also, it is a second object to provide a 
cryptographic communication device to implement 
the above method easily. 

The first object is achieved by the provision of 
a cryptographic communication method, compris- 

20 ing: 

carrying out cryptographic communication be- 
tween a sending station (1A, IB, 1C) and one or 
more receiving stations (2A, 2B, 2C) by using 

(1 ) a ciphertext (C) formed by encrypting a unit 
25 of sending information under the intervention of 

at least a cryptographic key (K) and 

(2) key-distribution-information (Y) produced by 
using at least the ciphertext (C), receiving sta- 
tion's public information (ID1, P1), and randorn- 

30 ized information (r, r1) generated in the sending 
station (1A, 1B, 1C). 

The first object is also achieved by the provi- 
sion of a cryptographic communication method for 
carrying out cryptographic communication between 
35 a sending station (1A) and one or more receiving 
stations (2A), comprising: 

generating a ciphertext (C) in the sending sta- 
tion (1A) by encrypting a unit of sending informa- 
tion under the intervention of a cryptographic key 
40 (K) which is made based on a random number (r) 
made in the sending station (1A); 

generating key^distribution-information (Y) in 
the sending station (1A) from at least the ciphertext 
(C) one receiving station's public information (ID1, 
45 P1), and the random number (r); 

sending the ciphertext (C) and the key- 
distribution-information (Y) to the one receiving sta- 
tion (2A); 

restoring the cryptographic key (K) in the one 
so receiving station (2A) by using at least the cipher- 
text (C), the received key-distribution-information 
(Y), and secret information held in the one receiv- 
ing station (2A); and 

decrypting the received ciphertext (C) in the 
55 receiving station (2A) under the intervention of the 
cryptographic key to obtain the plain text (M) sent 
by the sender. 

The second object is achieved by the provision 
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of a cryptographic communication device for; 

carrying out cryptographic communication 
among a plurality of stations interconnected 
through a communication network; 

generating a pair of public and secret informa- s 
tion to each station; and 

distributing encrypted sending information by 
using the public and secret information from a 
sending station (1A) to one or more receiving sta- 
tions (2A) among several stations, comprising: w 

random number generation means (11 A) for 
generating random numbers in a sending station 
(1A, 1B, 1C); 

key-distribution-information production means 
(13A) for producing key-distribution-information (Y) is 
from at least the public information relating to a 
receiving station (2A), a random number (r) gen- 
erated in the random number generation means 
(11 A), and the sending information from the send- 
ing station (1A); 2 o 

key information production means (15A) for 
producing key information (K) generated by the 
random number (r) generated in the random num- 
ber generation means (11 A) in the sending station 
OA): 25 

encryption means (17A) for encrypting the 
sending information by using the key information 
(K) generated in the key information production 
means (15A) in the sending station (1A); 

key information restoration means (25A) for 30 
restoring the key information in the receiving sta- 
tion (2A) recovered from the key-distribution-in- 
formation (Y) produced in the key-distribution-in- 
formation production means by using the encryp- 
ted sending information (C) and the secret informa- 35 
tion (SK) of the receiving station (2A); and 

decrypting means (27A) for decrypting the en- 
crypted sending information in the receiving station 
(2A) by using the key information restored in the 
key information restoration means (25A). 40 

In the above configuration, as shown in Rg.2, a 
cryptographic key K is generated in a key generat- 
ing section 15A of a sending station 1A under the 
control of random number r generated in a random 
number generating section 11 A. Then, a message 45 
M is encrypted under intervention of the cryp- 
tographic key K in an encrypting section 17A. The 
encrypted message C is then sent to a key- 
distribution-information (Y) generating section 13A 
with both the random number r and the public so 
information PK of a receiving station 2A to generate 
the key-distribution-information Y, while the encryp- 
ted message C is sent to the receiving station 2A. 
The key-distribution-information Y is sent to the 
receiving station 2A. 55 

In the receiving station 2A, the cryptographic 
key K is restored from the key-distribution-informa- 
tion Y by using the encrypted message C, and 



secret information SK of the receiving station 2A in 
a key restoration section 25A. Then the encrypted 
message C is decrypted to provide the plain mes- 
sage M under the intervention of the restored key 
K in a decrypting section 27A. 

Accordingly, because the key K is generated 
under the control of the random number r when the 
key K is shared between a sender and a receiver, 
the shared key K is easily changed in each com- 
munication, while the key does not change in the 
original DH method. 

In addition, because the key K set up in a 
communication is dependent only on the random 
number generated by the sender, the key K is 
easily shared among three or more persons as 
described in an embodiment hereinafter. 

Moreover, because the key-distribution-infor- 
mation Y for sending the key K from the sender to 
the receiver depends on the message M, it is very 
difficult for a key-distribution-information{Y) accom- 
panied with ciphertext (C) of message M to be 
reused to send another ciphertext (C) later. 

Consequently, the impersonation attack carried 
out by resending the key-distribution-information 
(Y) in the key distribution method among stations 
can be prevented in the present invention,. 

The first object is also achieved by the provi- 
sion of a cryptographic communication method for 
carrying out cryptographic communication between 
a sending station (1B) and one or more receiving 
stations (2B), comprising: 

generating a ciphertext (C) in the sending sta- 
tion (1B) by encrypting the sending information 
under the intervention of a cryptographic key (K) 
which is produced based on a first random number 
made in the sending station (1 B); 

generating a key-distribution-information (Y) in 
the sending station (1B) from at least public in- 
formation in one receiving station (2B), the first 
random number (r1 ), and a second random number 
(r2) which is made in the one receiving station (2B) 
and sent to the sending station (1 B); 

sending the ciphertext (C) and the key- 
distribution-information (Y) to the one receiving sta- 
tion (2B); 

restoring the cryptographic key (K) in the one 
receiving station (2B) by using at least the received 
key-distribution-information (Y), secret information 
(SK) held in the one receiving station (2B), and the 
second random number (r1 ); and 

decrypting the received ciphertext (C) in the 
one receiving station (2B) under the intervention of 
the cryptographic key (K) to obtain the plain send- 
ing information (M). 

The second object is also achieved by the 
provision of a cryptographic communication device 
for carrying out cryptographic communication 
among a plurality of stations interconnected 
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through a communication network, generating pub- 
lic information and secret information correspond- 
ing to the public information in each station, and 
distributing encrypted sending information by using 
the public and secret information from a sending 5 
station (1B) to one or more receiving stations (2B) 
among stations, comprising: 

first random number generation means (11B) 
for generating first random numbers (r1) in a send- 
ing station (1 B); io 

key-distribution-information production means 
(13B) for producing key-distribution-information (Y) 
from at least a first random number (r1) generated 
in the first random number generation means (1 1 B) 
and a second random number (r2); 75 

key information production means (15B) for 
producing key information (K) generated by the 
first random number (r1) generated in the first 
random number generation means in the sending 
station (1B); 20 

encryption means (17B) for encrypting the 
sending information by using the key information 
(K) generated in the key information production 
means (15B) in the sending station (1B); 

second random number generation means 25 
(21 B) for generating second random numbers (r2) 
in a receiving station (2B); 

key information restoration means (25B) for 
restoring the key information, in the receiving sta- 
tion (2B), from the key-distribution-information (Y) 30 
produced in the key-distribution-information pro- 
duction means (13B) by using the second random 
number (r2) generated in the second random num- 
ber generation means (21 B) and the secret in- 
formation (SK) of the receiving station (2B); and 35 

decrypting means (27B) for decrypting the en- 
crypted sending information in the receiving station 
(2B) by using the key information (K) ^restored in 
the key information restoration means (25B). 

In the above configuration, as shown in Fig. 3, a 40 
cryptographic key K is generated in a key generat- 
ing section 15B of a sending station 1B under the 
control of the first random number r1 generated in 
a random number generating section 11 B. Then, a 
message M is encrypted under the intervention of 45 
the cryptographic key K in an encrypting section 
17B. Then, the encrypted message C is sent to a 
receiving station 2B. 

Also, the first random number r1 f the public 
information PK of a receiving station 2B t and sec- so 
ond random number r2 generated in a random 
number generating section 21 B of the receiving 
station 2B are sent to a key-distribution-information 
(Y) generating section 13B to generate key- 
distribution-information Y. The key-distribution-in- 55 
formation Y is sent to the receiving station 2B. 

In the receiving station 2B, the cryptographic 
key K is restored from the key-distribution-informa- 



tion Y by using the second random number r2 and 
the secret information SK of the receiving station 
2B in a key restoration section 25B. Then, the 
encrypted message C is decrypted to provide the 
decrypted message M under intervention of the 
restored key K in a decrypting section 27B. 

Accordingly, because the key-distribution-infor- 
mation Y depends on the second random number 
r2 generated in the receiver's generating section 
21 B, it is difficult for the receiver 2B to reuse the 
key-distribution-information Y generated by the ran- 
dom number r2 for the other receiver later. There- 
fore, it is difficult for an impersonation attack to be 
carried out by resending the message in a group 
key distribution among three or more persons. 

As described in an embodiment hereinafter, in 
the calculations of the above method, the modulus 
is not one prime number but the product of two 
prime numbers. Therefore, the provision of the 
function for authenticating the public information, 
the sender, and the message is easy. Also, the 
amount of memory and calculation time is saved as 
compared with the method in .which the modulus is 
the product of three or more prime numbers. 

The first object is also achieved by the provi- 
sion of a cryptographic communication method for 
carrying out a cryptographic communication be- 
tween a sending station (1C) and one or more 
receiving stations (2C), comprising: 

generating key-distribution-information (Y) in 
the sending station (1C) from at least the public 
information in one receiving station (2C), a first 
random number (r1) generated in the sending sta- 
tion (1C), and time information (t) provided by a 
clock (18C) in the sending station (1C); 

sending the key-distribution-information (Y) and 
the time information (t); and 

restoring a cryptographic key (K) in the one 
receiving station (2C) from the received key- 
distribution-information (Y) by using at least secret 
information (SK) held in the one receiving station 
(2C), and the received time information (t). 

The second object is also achieved by the 
provision of a cryptographic communication device 
for carrying out cryptographic communication 
among a plurality of stations interconnected 
through one communication line, generating public 
information and secret information corresponding to 
the public information in each station, and distribut- 
ing encrypted sending information by using the 
public and secret information from a sending sta- 
tion (1C) to one or more receiving stations (20) 
among stations, comprising: 

random number generation means (11C) for 
generating random numbers (r1) in the sending 
station <1C); 

a clock (18C) for generating time information 
(t), the time information (t) informing a sending time 
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of the sending information; 

key-distribution-information production means 
(13C) for producing key-distribution-information (Y) 
from at least a random number (r1) generated in 
the random number generation means (11C) t the 
time information (t) generated in the clock (18C) ( 
and the public information of a receiving station 
<2C); 

key information production means (15C) for 
producing key information (K) generated by the 
random number (r1) generated in the random num- 
ber generation means (11C) in the sending station 
(1C); 

key information restoration means (25C) for 
restoring the key information (K) in the receiving 
station (20) from the key-distribution-information 
(Y) produced in the key-distribution-information 
production means (13C) by using the time informa- 
tion (t) generated in the clock (1 8C) and the secret 
information (SK)of the receiving station (2C). 

In the above configuration, as shown in Fig. 4, 
the key-distributioh-information Y is generated in a 
key-distribution-information(Y) generating section 
13C of a sending station (1C) 1C by using a 
random number r1 generated in a random number 
generating section 11C, time information t gen- 
erated in a clock 18C, and public information PK of 
a receiving station 2C. Also, a key K is generated 
in a key generating section 15C by using the 
random number r1 . The key-distribution-information 
Y and the time information t are sent to the receiv- 
ing station 2C. 

In the receiving station 2C, the key K is re- 
stored in a key restoration section 25C from the 
key-distribution-information Y by using the time in- 
formation t and secret information SK of the receiv- 
ing station 2C. 

Accordingly, because the key-distribution-infor- 
mation Y depends on the random information r1 
generated in the sender's section 11C and the 
sending time t, the key K is changed for each 
communication. In addition, it is possible to prevent 
an impersonation attack in which a malicious re- 
ceiver impersonates the true sender by sending the 
key-distribution-informationY, which has been sent 
to that receiver at a certain time, to a victimized 
receiver at an other time. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram of a conventional 
cryptographic communication system. 

Fig. 2 is a block diagram showing basically a 
third to an eighth embodiment according to the 
present invention. 

Fig. 3 is a block diagram showing basically a 
first embodiment according to the present inven- 
tion. 



Fig. 4 is a block diagram showing basically a 
second embodiment according to the present in- 
vention. 

Fig. 5 shows schematically a cryptographic 
5 communication system of the first to eighth em- 
bodiments according to the present invention. 

Fig. 6 shows schematically the extended Rat- 
Shamir method. 

Fig. 7 is a block diagram showing a key dis- 
io tribution procedure of the first embodiment accord- 
ing to the present invention. 

Fig. 8 is a block diagram showing a key dis- 
tribution procedure of the second embodiment ac- 
cording to the present invention. 
15 Rg. 9 is a block diagram showing a key dis- 

tribution procedure of a third embodiment accord- 
ing to the present invention. 

Fig. 10 is a block diagram showing a key 
distribution procedure of a fourth embodiment ac- 
20 cording to the present invention. 

Fig. 11 is a block diagram showing a key 
distribution procedure of a fifth embodiment ac- 
cording to the present invention. 

Fig. 12 is a block diagram showing a key 
25 distribution procedure of a sixth embodiment ac- 
cording to the present invention. 

Fig. 13 is a block diagram showing a digital 
signature procedure of a seventh embodiment ac- 
cording to the present invention. 
30 Fig. 14 is a block diagram showing a key 

distribution procedure of a eighth embodiment ac- 
cording to the present invention. 

DESCRIPTION OF THE SPECIFIC EMBODIMENT 

35 

Preferred embodiments are described with ref- 
erence to Rg. 5 to Rg. 14. 

A basic configuration of a cryptographic com- 
munication system common to all embodiments is 
40 described as follows with reference to Rg. 5. 

Rg. 5 shows schematically a cryptographic 
communication system of the first to eighth em- 
bodiments according to the present invention. 

As shown in Rg. 5, the cryptographic commu- 
45 nication network system comprises a center for 
starting up the system and a plurality of stations 
U1 to Um which are provided corresponding to 
users 1 to m. Each station can be either a sending 
station or a receiving station as necessity requires. 
so Each station Ui (i = 1. — » rn) is provided with an 
identification number IDi which is set to identify 
one station from the others in the network system. 
Si and Idi are unique to each other. 

Next, the processing carried out at the center 
55 and at each station Ui is explained. Rrst, the pro- 
duction of a center key in the center is explained. 
The center key is made to prepare for the process- 
ing in each station Ui. 
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( Production of the center key ) 

In the center, two different large prime num- 
bers p, q are generated, and then the product n = 
p m q and the value L = LCM((j>1),(q-1)) which is 
the least common multiple of (p-1) and (q-1) are 
calculated. Thereafter, an integral number g is cho- 
sen as to be a generator of both a Galois field GF- 
(p) and a Galois field GF(q) as to the prime num- 
bers p and q. Also, an integral number u which is 
relatively prime with the value L is decided as a 
public key of the center, and a secret key v of the 
center corresponding to the public key u is pro- 
duced. The key v satisfies the following equation; 

u*v m 1 ( mod L ). 

That is, the product u*v is congruent with 1 
modulo the value L In other words, the remainder 
provided by dividing the production u*v by the 
value L is equal to 1 . 

Next, the production of each station key in the 
center is explained. 

( Production of the station key ) 

In the center, a pair of keys di, Si are deter- 
mined for the station Ui as follows, and the keys 
are issued to the station Ui. The key di differs from 
the public key u and is relatively prime with the 
least common multiple L, and each key di is se- 
lected to satisfy the following equation: 

di = dj when i = j. 



Thereafter, a secret key of the center ei is 
determined to satisfy the following equation: 

ei'di a 1 ( mod L ). 

Then, the secret information Si for authenticating 
the station is determined by using the secret key v 
as follows and issued to each station Ui: 

li = h(IDi) mod n 
Si = H v mod n. 

Where h() is a pseudo random function and the 
value n is a common modulus in the cryptographic 
communication system. 

Thereafter, public information Pi is determined 
by using modulo n, the predetermined values g, ei, 
and Si as follows: 

Pi = S\.g^ mod n. 



According to the above procedure for produc- 
ing the center key and station key, the determined 
values are classified into the following three cate- 
gories: 

5 (1) public information : u, g, n, h(), Pi(i = 1, — , 

m) 

(2) center secret information : v. p. q, L. ei- 
(i = 1 m) 

(3) station secret information : di. Si. 

io Where all of stations can be informed of the public 
information, only the center can be informed of the 
center secret information and it is kept a secret 
from each station, and only the center and the 
station Ui know the station secret information di, 

75 Si.which is kept a secret from the other stations. 
The station secret information di. Si is not required 
to be stored in the center after the information di, 
Si is issued to the station Ui. For example, the 
station secret information di, Si is stored in a se- 

20 cure memory medium and handed over to the 
station Ui. 

The concrete key distribution processing is 
embodied by using the public information and the 
information distributed to each station Ui prepared 

25 as described above. 

Now, before the specific description, an ID- 
based authentication method based on a zero- 
knowledge identification scheme which is closely 
related to the key distribution method according to 

30 the present invention will be described with refer- 
ence to Fig. 6. 

As shown in Fig. 6, a protocol for communicat- 
ing between two persons is described. The aim of 
the protocol is that a prover station 1 proves to a 

35 verifier station 2 that the station 1 is issued the 
secret information Si corresponding to the IDi from 
the center. 

According to the above protocol, if a third party 
eavesdrops on the communication between the 
40 prover station 1 and the verifier station 2, the 
eavesdropper can not know the secret information 
Si and the impersonation attack can not be carried 
out As an example, one of the extended Rat- 
Shamir method can be given. The method is de- 
45 scribed in the following literature: 

K.Ohta and T.Okamoto," A Modification of the 
Rat-Shamir Scheme w , Crypto 88,Lecture Note on 
Computer Science, Springer Verlag pp.232-243. 
Also, as examples of the practical zero-knowl- 
so edge identification protocol proposed until now, 
there are four typical method as follows: 

(1) Rat-Shamir method 

A.Rat and A Shamir," How to prove yourself 
: practical solutions to identification and signa- 
55 ture problems \ Crypto 86. Lecture Note on 
Computer Science, Springer Verlag pp.1 1 6-1 94, 

(2) Extended Rat-Shamir method 1 

K.Ohta and ^Okai-noto," A Modification of 
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the Fiat-Shamir Scheme M . Crypto 88,Lecture 
Note on Computer Science, Springer Verlag 
pp.232-243. 

(3) Extended Rat-Shamir method 2 

K.Ohta n Authentication Method Based on 5 
ID Utilizing RSA Cryptograph and the Applica- 
tion of the Method Pres. of the eleventh 
symposium on information theory and its ap- 
plication, pp.567-572, December, 1988, and 

(4) Beth method 10 
T.Beth, " Efficient zero-knowiedge identifica- 
tion scheme for smart cards, Eurorypt". 88, Lec- 
ture note on Computer Science, Springer Verlag 
pp.232-243. 

In each protocol, there are three types of us- 75 
age as follows: 

(a) sequential version, 

(b) parallel version, and 

(c) non-interactive version. 

A detailed explanation for each version is omit- 20 
ted. The explanation for the configuration based on 
the extended Rat-Shamir method 1 is made with 
reference to Rg. 6. 

Rg. 6 shows the outline of the protocol in 
which the prover station 1 (designated by U1) 25 
authenticates the possession of the station secret 
information Si to the verifier station 2 (designated 
by U2). 

Here, the processing in the prover station 1 is 
designated as 30 
U1 : {processing}. 

The transmission of the information from the 
prover station 1 to the verifier station 2 is des- 
ignated as follows: 

U1 — - U2 : {information}. 35 

In addition, the other notation is used for the 
following embodiments as 
{number} : {processing}. 

Where number means the step of the process- 
ing. 40 

( Authentication protocol based on the extended 
Rat-Shamir method 1 ) 

Generating a random number R and calculating 45 
information X as follows: 
U1 : X = R u mod n — ( step 601 ) 
U1 — U2 : ID1 , X — ( step 602, 603 ) 
U2 : generating a random number E — ( step 
604 ) so 
U2 — U1 : E — ( step 605 ) 

Calculating information Y as follows: 
U1 : Y = R*S1 E mod n — ( step 606 ) 
U1 -* U2 : Y — ( step 607 ) 55 

Calculating X0 as follows: 
U2 : X0 = Y" * I1 E — ( step 608 ) 



X0 is compared with X and the verifier station 2 
authenticates the sender as the true prover station 
1 if X0 is equal to X. If X0 is not equal to X, the 
verifier station 2 does not authenticate the sender 
as the true prover station 1 . --( step 609 ) 

Now, a method and a device for distributing a 
key are described as a first embodiment according 
to the present invention with reference to Rg. 7 
after the above preparation based on the conven- 
tional step. 

The first embodiment corresponds to the 
claims 1, 3, and 6. 

In the following description, the key distribution 
is described between the prover and the verifier in 
all embodiments for the sake of convenience. 

The procedure of the method for sharing the 
key is as follows. 

U1 : Obtaining public information P2 of the verifier 
station 2 ™ ( step 701 ) 

Generating a random number r ( 1 £ r £ n-1 
) — { step 702 ) 

Calculating a new random number R by using an 
identification number ID2 of the verifier station 2a 
and the public information P2 as follows: 
R = (P2 U • lD2) r mod n —< step 703 ) 
Calculating the information X by using the new 
random number R as follows: 
X = R u mod n. — ( step 704 ) 
Producing a key K by using the random number r 
as follows 

K = g«-«T mod n — ( step 705 ) 

Sending the identification number ID1 of the prover 

station 1a and the information X to the verifier 

station 2a as follows: 

U1 — U2 : ID1 , X — ( step 706, 707 ) 

U2 : generating a random number E — { step 

708 ) 

U2 — U1 : E — ( step 709 ) 

Calculating the information Y by using the secret 

information S1 of the prover station 1a and the 

random number R as follows: 

U1 : Y = R # S1 E mod n — ( step 710 ) 

Ut-*U2:Y —(step 711) 

Calculating the information X0 as follows: 

U2 : X0 = Y" • I1 E mod n — ( step 712 ) 

Comparing X0 with X — ( step 713 ) 

If X0 is not equal to X, a verifier station 2a 
does not authenticate a sender as a true prover 
station 1a and the processing in the verifier station 
2a is stopped. If XO is equal to X t the verifier 
station 2a authenticates the sender as the true 
prover station 1a and the key k is produced by 
using the information X and a secret key d2 of the 
verifier station 2a as follows: 
K = X* 2 mod n. — ( step 714 ) 

Accordingly, in the first embodiment, because 
the key-distribution-information Y is generated de- 
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pendent on the random number E generated in the 
verifier station 2a, it is very difficult for an eaves- 
dropper to reuse the information Y for an imperson- 
ation attack. 

Also, in the above method, because the com- 5 
munication from the receiver to the sender is in- 
cluded in the protocol, the method is not suitable 
for a non real time communication. 

Next, a method and a device for sharing a 
common key as a second embodiment according io 
to the present invention are described with refer- 
ence to Fig. 8. 

The second embodiment corresponds to the 
claims 1 , 4, and 7. 

As shown in Fig. 8, the procedure of the key 75 
sharing method is as follows. 

(the processing in the prover station 1 b) 

1. Obtaining the public information P2 of a ver- 20 
ifier station 2b — ( step 801 ) 

Generating a random number r (1 £ r £ n-1)- 

— ( step 802 ) 
Calculating a new random number R by using 
an identification number ID2 of the verifier sta- 25 
tion 2b ( the public information P2, and the ran- 
dom number r as follows: 
R = (P2 U • !D2) f mod n — ( step 803 ) 
Calculating the information X by using the new 
random number R as follows: 30 
X = R u mod n «-( step 804 ) 
Producing a key K by using the random number 
r as follows 

K = g u * u * r mod n —( step 805 ) 

2. Calculating the key-distribution-information E 35 
by using the time information t and the informa- 
tion X as follows 

E = f(X, t) — ( step 806 ) 

3. Calculating information Y by using the secret 
information S1 of the prover station 1a and the 40 
random number R as follows: 

Y = R • S1 E mod n — ( step 815 ) 

4. Sending ID2b, E, Y, t to the verifier station 
2b — ( step 807, 808, 809, 810) 

45 

( Processing in the verifier station 2b) 

5. Calculating X0 as follows 

X0 = Y u * 11 mod n — ( step 81 1 ) 

6. When the difference between the time t and a so 
time f of a clock in the verifier station 2b is 
greater than a prescribed difference, the pro- 
cessing is stopped. On the other hand, when the 
difference is within the difference, E0 is cal- 
culated as follows: 55 
E0 = f(X, t). — ( step 812 ) 

7. When E is not equal to EO, the verifier au- 
thenticates that the communication has not been 



carried out with the prover station 1b and stops' 
the processing. On the other hand, when E is 
equal to E0. the verifier authenticates that the 
communication has been carried out with the 
prover station 1b and carries out the next pro- 
cessing step. — ( step 813 ) 
8. Generating K by using X0 and a secret key 
d2 of the verifier station 2b as follows. 
K = X d2 mod n — ( step 814 ) 
The above method is a digital signature in the 
Fiat-Shamir method in which the key-distribution- 
information E, Y depend on the time t. 

Accordingly, the verifier station 2b can authen- 
ticate that the key-distribution-information E, Y is 
produced at the time t in the prover station 1b. 

Also, because the key-distribution-information 
E f Y is valid in the condition that the information E, 
Y is used in combination with the time information 
t, the impersonation attack on the prover station 1b 
is prevented even if the attacker tries to abuse the 
information E. Y. 

The effect that the impersonation attack is pre- 
vented in this method is valid in a communication 
system in which the difference between the send- 
ing time t and the receiving time V is small enough. 
On the other hand, the effect of the above method 
is reduced in a communication system in which the 
difference between the sending time t and the 
receiving time t' is large. In other words, the effect 
of the above method is reduced in a communica- 
tion system in which the transmission delay is 
large. However, there are many communication 
system such as telephone system in which the 
transmission delay is small. Therefore, the method 
and the device of the second embodiment are 
applicable to practical use. 

Next, a method and a device for authenticating 
a sender by using the extended Rat- Shamir meth- 
od 2 as a third embodiment according to the 
present invention are described with reference to 
Fig. 9. 

The third embodiment corresponds to the 
claims 1 , 2, and 5. 

Hereinafter, the encryption procedure for pro- 
ducing a ciphertext C from a message M by using 
a cryptographic key K is represented by C = eK- 
<M). 

On the other hand, the decryption procedure 
for generating the message M from the ciphertext 
C by using the cryptographic key K is represented 
by M = dK(C). 

First, the processing in a prover station 1c is 
described. 

( Processing in the prover station 1c) 

1. Obtaining the public information P2 of a ver- 
ifier station 2c — ( step 901 ) 
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2. Generating a random number r (1£r£n-1), and 
calculating a random number R as follows: 

R = (P2 U * I2) r mod n — ( step 902 ) 
calculating the key sharing information X as 
follows: 

X = R u mod n — ( step 903 ) 

calculating the cryptographic key K as follows: 

K = g u * u *' mod n — ( step 904 ) 

3. Producing a ciphertext C from a message M 
by using the key K as follows: 

C = eK(M) — ( step 905 ) 

4. Calculating E as follows: 

E = f(X, C) — ( step 906 ) 

5. Calculating additional key-distribution-informa- 
tion Y as follows 

Y = R E • S1 mod n — ( step 907 ) 

6. Sending ID1c, C, X, and Y to the verifier 
station 2c --( step 908 t 909, 910, 91 1) 

Next, the processing in the verifier station 2c is 
described. 

(the processing in the verifier station 2c) 

1 . calculating Z as follows: 

Z = Y° • 11 mod n — ( step 912 ) 

2. calculating EO as follows: 

EO = f(X, C) — ( step 913 ) 

3. calculating ZO as follows: 

ZO = X E0 mod n — ( step 914 ) 

4. When Z is not equal to Z0 ( the verifier au- 
thenticates that the communication has not been 
carried out with the prover station 1c and stops 
the processing. On the other hand, when Z is 
equal to ZO, the verifier authenticates that the 
communication has been carried out with the 
prover station 1c and proceeds to the next pro- 
cessing step. — ( step 915 ) 

5. Producing K from X by using a secret key d2 
of the verifier station 2c as follows. 

K = X* 2 mod n — ( step 916 ) 

6. Obtaining the message M as follows 
M = dK(C) —(step 917) 

The key-distribution-information X, Y is an ex- 
tended Fiat-Shamir signature for the ciphertext C in 
the above embodiment. 

Accordingly, even if a ciphertext C\ which dif- 
fers from the true ciphertext C, is forged and sent 
to the verifier with the key-distribution-information 
X, Y by a third party to impersonate a true sender, 
the communication between the* impersonator and 
the verifier is rejected by the verifier in the signa- 
ture confirmation procedure because the signatures 
X, Y are not corresponding signatures for the 
forged ciphertext C\ but the true ciphertext C. 
Therefore, the impersonation attack ends in failure. 

The above method is realized by using the 
extended Hat-Shamir method 2. However, the 
method can be also realized by the Rat-Shamir 



method or the extended Fiat-Shamir method 1. 

Next, a method and a device for authenticating 
a sender by using the extended Fiat-Shamir meth- 
od 1 as a fourth embodiment according to the 
5 present invention are described with reference to 
Fig. 10. 

The fourth embodiment corresponds to the 
claims 1 , 2, and 5. 

First, the procedure in a prover station 1d is 
io described. 

( Procedure in the prover station 1d) 

1. Obtaining public information P2 of a verifier 
T5 station 2d — ( step 1001 ) 

2. Generating a random number r (1 S r £ n-1), 
and calculating a random number R: 

R = (P2 U • I2) r mod n — ( step 1002 ) 
calculating the key-distribution-information X as 
20 follows: 

X = R u mod n —( step 1003 ) 
calculating a cryptographic key K as follows: 
K = g"*"*' mod n — ( step 1004 ) 

3. Producing a ciphertext C from a message M 
25 by using the key K as follows: 

C = eK(M) — ( step 1005 ) 

4. Calculating E as follows: 

E = f(X, C) — ( step 1006 ) 

5. Calculating additional key-distribution-informa- 
30 tion Y as follows 

Y = R • S1 E mod n — ( step 1007 ) 

6. Sending ID1d, C, E, and Y to the verifier 
station 2d — ( step 1008, 1009, 1010. 1011) 

Next, the processing in the verifier station 2d is 
35 described. 

( Processing in the verifier station 2d) 

1 . Calculating XO as follows: 

40 XO = Y u • I1 E mod n — ( step 1012 ) 

2. Calculating EO as follows: 

EO = f(X0, C) — ( step 1013 ) 

3. When X is not equal to XO, the verifier au- 
thenticates that the communication has not been 

45 carried out with the prover station 1d and stops 
the processing. On the other hand, when X is 
equal to XO, the verifier authenticates that the 
communication has been carried out with the 
prover station 1d and proceeds to the next pro- 
se? cessing step. — ( step 1014 ) 

4. Producing K from XO by using a secret key 
d2 of the verifier station 2d as follows. 

K = X d2 mod n ---( step 1015 ) 

5. Obtaining the message M as follows 
55 M = dK(C) — ( step 1016 ) 

6. The key-distribution-information E, Y is an 
extended Rat-Shamir signature for the cipher- 
text C in the above embodiment. 



19 



EP 0 460 538 A2 



20 



Accordingly, it is impossible to use the in- 
formation E, Y with another ciphertext C which 
differs from the true ciphertext C in the same 
manner as the third embodiment 

Also, the amount of calculation in the both 
sending and receiving stations is almost the same 
as in the third embodiment. However, the key- 
distribution-information E is sent to the verifier sta- 
tion 2d at the step 1010 in the fourth embodiment, 
while the key-distribution-information X is sent to 
the verifier station 2c at the step 910 in the third 
embodiment In general, the digit number of the 
value X is almost equal to the value of the modulus 
n. On the other hand, the digit number of the value 
E can be smaller than the value of the modulus n. 
Therefore, the amount of communication can be 
reduced in the fourth embodiment 

The above method and device are realized by 
using the extended Rat-Shamir method 1. How- 
ever, the method can be also realized by the Fiat- 
Shamir method. 

Next, a method and a device in which the 
amount of processing or communication is reduced 
is described as a fifth embodiment according to the 
present invention with reference to Fig. 1 1 . 

The fifth embodiment is a variation of the fourth 
embodiment Therefore, the fifth embodiment can 
be embodied by using the extended Rat-Shamir 
method 1 or the Rat-Shamir method. 

The fifth embodiment also corresponds to the 
claims 1 , 2, and 5. 

First, the procedure in a prover station 1e is 
described. 

( Procedure in the prover station 1e) 

1. Obtaining public information P2 of a verifier 
station 2e — ( step 1101 ) 

2. Generating a random number r (1£r£n-1), and 
calculating a random number R as follows: 

R = (P2 U • I2) r mod n — ( step 1 102 ) 
calculating a cryptographic key K as follows: 
K = g u ' u * r mod n — ( step 1103 ) 

3. Producing a ciphertext C from a message M 
by using the key K as follows: 

C « eK(M) —(step 1104 ) 

4. Calculating E by using the key K and the 
ciphertext C as follows: 

E = f(K, C) —(step 1105) 

5. Calculating additional key-distribution-informa- 
tion Y by using the secret information S1 and 
the random number R as follows: 

Y = R'S1 E mod n — ( step 1106 ) 

6. Sending ID1e, C, E, Y to the verifier station 
2e — ( step 1107, 1108, 1109, 1110) 

Next, the processing in the verifier station 2e is 
described. 



( Processing in the verifier station 2e) 

1 . Calculating X0 as follows: 
X0 = Y u • I1 E mod n ---( step 1111 ) 
5 2. Producing K0 from X0 by using a secret key 
d2 of the verifier station 2e as follows. 
K0 = XO* 2 mod n — ( step 1112) 
3. Calculating E0 as follows: 
E0 = f(K0, C) — ( step 1113 ) 
w 4. When E is not equal to E0, the verifier au- 
thenticates that the communication has not been 
carried out with the prover station 1e and stops 
the processing. On the other hand, when E is 
equal to E0, the verifier authenticates that the 
is communication has been carried out with the 
prover station 1e and proceeds to the next pro- 
cessing step. — ( step 1114) 
5. Rnding the message M as follows 
M = dK(C) — ( step 1115 ) 
20 Accordingly, because the information X pro- 

duced in the prover station 1d at the fourth em- 
bodiment is omitted at the fifth embodiment, the 
amount of processing is reduced. The reduction is 
equivalent to one modular exponentiation calcula- 
25 tion for multiple-length integral number. The 
amount of this calculation is generally large, there- 
fore the processing time is effectively reduced. 

Because X is not sent to the receiver, the 
information E is produced by the receiver from the 
30 the key K and the ciphertext C. By taking account 
of K = X s mod n, the value E is rewritten as 
follows: 

E = f(K t C) = f(X B mod n. C) = f 0 (X, C) 

35 

where f 0 () is an one-way function. 

Therefore, the security of this method is the 
same as in the fourth embodiment. 

In the above mentioned embodiments from the 

40 third to the fifth, the key-distribution-information is 
produced to depend on the ciphertext C. However, 
even if the information is modified to depend on 
the message M, the impersonation attack carried 
out by resending the key-distribution-information is 

45 prevented in the similar manner as those embodi- 
ments. 

For example, in the fifth embodiment, it is 
possible that the processing in the prover station 
1e at the step 1105 be modified to the processing 

50 E ~ f(K, M) though the corresponding modification 
of the procedure for the processing in the prover 
station 1e is needed,. 

However, as described in the fifth embodiment, 
the configuration in which the key-distribution-in- 

55 formation depends on the ciphertext C is superior 
to the other configuration in which the key- 
distribution-information depends on the message 
M. The reason is that the authentication of the true 
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sender can be completed before decrypting the 
message M at the receiver (the verifier) in the 
former configuration. That is, the receiver can stop 
the processing before processing the useless de- 
cryption when a forged message M* is sent to the 
receiver. 

Next, a method and a device is described as a 
sixth embodiment according to the present inven- 
tion with reference to Fig. 12. The sixth embodi- 
ment is the same as in th fifth embodiment in that 
the amount of processing or communication is re- 
duced. The sixth embodiment is another variation 
of the fourth embodiment. Therefore, the sixth em- 
bodiment can be also embodied by using the ex- 
tended Rat-Shamir method 1 or the Hat-Shamir 
method. 

The sixth embodiment also corresponds to the 
claims 1, 2, and 5. 

First, the procedure in a prover station 1f is 
described. 

( Procedure in the prover station 1f) 

1. Obtaining public information P2 of a verifier 
station 2f — ( step 1201 ) 

2. Generating a random number r (1£r£n-1> and 
calculating a random number R as follows: 

R = (P2 U • I2) r mod n — ( step 1202 ) 
calculating a cryptographic key K as follows: 
K = gf«" mod n — ( step 1203 ) 

3. Generating a ciphertext C as follows: 
C = eK(M) —(step 1204) 

4. Calculating E as follows: 
E = f(C) —(step 1205 ) 

5. Calculating additional key-distribution-informa- 
tion Y as follows 

Y = R # S1 E mod n — ( step 1206 ) 

6. Sending ID1f, C, and Y to the verifier station 
2f — ( step 1207. 1208. 1209 ) 

Next, the processing in the verifier station 2f is. 
described. 

( Processing in the verifier station 2f) 

1. Calculating EO as follows: 
EO = f(C) — ( step 1210 ) 

2. Calculating XO as follows: 

XO = Y" • I1 E0 mod n — ( step 1211 ) 

3. Producing KO from XO by using a secret key 
d2 of the verifier station 2f as follows. 

KO = XO* 2 mod n — ( step 1212 ) 

4. Obtaining a message MO as follows 
MO = dKO(C) — ( step 1213 ) 

Accordingly, in the sixth embodiment, because 
the information X produced in the prover station 1e 
of the fourth embodiment is omitted, the informa- 
tion E can be omitted as the key-distribution-in- 
formation while reducing the amount of processing. 



Therefore, the reduction in both the processing and 
the communication is embodied. 

Because X is not produced, the information E 
is generated from the ciphertext C. By taking ac- 
5 count of C = eK(M), the value E is rewritten as 
follows: 

E = f(C) = f 0 (K, C) 

io where f 0 O is a one-way function. 

Therefore, the security of this method is the 
same as in the fourth embodiment if the correct- 
ness of the information EO can be authenticated at 
the verifier station. Though the correctness of the 

T5 information EO is not conspicuously authenticated 
in the processing of the verifier station 2f, if the 
information EO differs from the information E pro- 
duced in the prover station 1f, the difference influ- 
ences the decrypted message MO so that the mes- 

20 sage MO decrypted in the verifier station 2f at the 
step 1213 is not identical with the transmitted mes- 
sage M. This influence may be utilized to detect 
the malicious attack. For example, when the mes- 
sage M is in the Japanese language, the attack is 

26 detected because the series of letters is meaning- 
less. 

In general, when a type of structural redun- 
dancy exists in the message M, the correctness of 
the information EO can be confirmed by confirming 

30 the existence of the redundancy in the decrypted 
message MO. That is, the prover station can be 
authenticated. If the structural redundancy should 
not exist in the message M, the redundancy can be 
added artificially. For example, a message authen- 

35 tication code, so-called MAC can be utilized as one 
method for adding the redundancy to the message 
M. 

In the above all embodiments, the key distribu- 
tion method is described. However, in the methods 

40 described in the third to sixth embodiments, the 
digital signature method based on the non-inter- 
active version of the zero-knowledge identification 
protocol is utilized as the sender authentication 
mechanism so that the method can be utilized as 

45 the digital signature method. 

Therefore, the digital signature method with 
confidentiality will now be described as a seventh 
embodiment with reference to Fig.13. The seventh 
embodiment is embodied by slightly modifying the 

so third embodiment. 

The seventh embodiment also corresponds to 
the claims 1 , 2, and 5. 

( Digital signature with confidentiality ) 

55 

1. A prover station 1g produces a ciphertext 1 in 
the similar manner as in the third embodiment 
as follows: 
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C = eK(M || h(K || M)), 

where the symbol || represents concatenation of 
two strings. 5 

2. The prover station 1g sends the following 
digital signature sentence 1 to a verifier station 
2g: 

sentence 1 : (ID1g t lD2g, C, E, Y), —( step 
1301) to 
where the information Y. E is produced in the 
same manner as the third embodiment. 

3. The verifier station 2g produces a key k by 
using a secret key d2 in the same manner as in 

the third embodiment, and confirms that the 75 
message M has a prescribed structure (M || h(K 
|| M)) after decrypting the ciphertext C by using 
the cryptographic key K. — ( step 1302) 

4. The verifier station 2g discloses the following 
digital signature sentence 2 to the other station 20 
3 when the signature has to be confirmed by the 
station 3: 

sentence 2 : (IDlg, C, E, Y, K). —{ step 
1303) 

5. The station 3 confirms the signature 2 accord- 25 
ing to the following judgement. — ( step 
1304) 

5-1. The information X0, EO is calculated as 
follows: 

30 

X0 = Y u • I1 E mod n 
EO = f(XO f C) 



5-2. If E is equaJ to EO, the procedure goes on 35 
to the next step. If E is not equal to EO, the 
station 3 judges that the signature sentence 1 
has not been sent from the prover station 1g 
before stopping the processing. 
5-3. The station 3 confirms that, after obtaining 40 
the message MO = dK(C) ( the decrypted mes- 
sage MO has the prescribed structure (M || h(K || 
M)). If the message MO has no prescribed struc- 
ture, the station 3 judges that the signature 
sentence 1 has not been sent from the prover 45 
station 1g before stopping the processing. If the 
message MO has the prescribed structure, the 
station 3 judges that the signature sentence 1 
has been sent from the prover station 1 g. 
Accordingly, the signature sentence 1 can be 50 
authenticated only by the verifier station 2g so that 
the other station 3 can not authenticate the signa- 
ture sentence 1 unless the right key K is disclosed 
or before step 1304. Therefore, when both the 
prover and verifier stations ig, 2g keep a secret of 55 
the key K, those station can prevent a third party 
from running away with the signature sentence 1 
without authorization. 



Also, the significant feature in the above men- 
tioned digital signature is as follows. The first fea- 
ture is that the signature portion is the Rat-Shamir 
type of mechanism. The second feature is that only 
a specific person ( that is. the verifier station 2g in 
this embodiment) can authenticate the digital signa- 
ture. The third feature is that the specific person is 
the first to be able to read the message M. The 
fourth feature is that anyone can confirm the signa- 
ture sentence if the verifier station 2g authenticates 
the message M and the signature 1 and discloses 
the key K. 

Because the signature sentence 2 being public 
with the right key K can be authenticated by any- 
one, the function of specifying the producer of the 
message M exists in the seventh embodiment in 
the same manner as in the conventional system. 

In the above all embodiments for distributing 
the key, the zero-knowledge identification protocol 
is utilized as the basic mechanism. However, the 
present invention can be utilized for preventing a 
replay attack in the key distribution utilizing the 
generally public key cryptosystem. 

Therefore, an eighth embodiment utilizing the 
RSA crypto system ( R. L. Rivest etal. "A Method 
for Obtaining Public-Key Crypto Systems and Digi- 
tal Signatures". Comm. of ACM. pp.1 20-1 26. Feb. 
1978 ) which is the representative public key cryp- 
tosystem, will now be described with reference to 
Fig. 14. 

The eighth embodiment also corresponds to 
the claims 1, 2, and 5. 

In the eighth embodiment, a public key of a 
arbitrary station is assumed to be registered in a 
special directory in which the key can not be 
falsified for simplicity. 
Symbols are defined as follows: 
Encryption procedure using a public key of a sta- 
tion i : 

C = PKi(M) = mod n, 

Decryption procedure using a secret key of a sta- 
tion i : 

M = SKi(C) = C m mod n, 

Next, the processing in a prover station 1h is 
described. 

( Processing in the prover station 1h ) 

1. Generating a random number K and setting 
the number to a key K — ( step 1401 ) 

2. Encrypting a message M by using the key K 
as follows: 

C » eK(M) —(step 1402) 

3. Calculating the hash value H of C and K as 
follows 



25 



EP 0 460 538 A2 



26 



H = f{C, K) — ( step 1403 ) 
4 Calculating the key-distribution-information Y 
at a ciphertext with signature producing section 
as follows 

Y = PK2 (SK1(ID1 || K || H )) ---( step 1404 ) 
3. Sending an identification number ID1h ( a 
ciphertext C, and the information Y to a verifier 
station 2h — ( step 1405. 1406, 1407 ) 
Next, the processing in a verifier station 2h is 
described. 

( Processing in the verifier station 2h ) 

1. Obtaining the decrypted information Z at a 
decryption section as follows: 

Z = PK1(SK2(Y)) — ( step 1408 ) 

The verifier station 2h confirms that the 
number ID1h is included in the decrypted in- 
formation Z according to a prescribed form. If 
the number ID1h is not included in the decryp- 
ted information Z, the processing is stopped. 

2. Taking out the key K and the hash value H, 
and calculating as follows: 

HO = f(C, K) — ( step 1409 ) 

3. Confirming that the calculated hash value HO 
is identical with the hash value H — ( step 
1410 ) 

If HO is not identical with H, the processing 
is stopped. Otherwise, the processing proceeds 
to the next step. 

4. decrypting the ciphertext C by using the key 
K obtained at the step 1409 as follows: 

M = dK(C) —(step 1411 ) 
In the above mentioned embodiment, the key- 
distribution-information is the signature of the send- 
er for the ciphertext C in the similar manner as in 
the third to sixth embodiments when the key dis- 
tribution method is carried out between two per- 
sons. 

Accordingly, it is difficult for the key- 
distribution-information produced for some cipher- 
text C to be utilized by combining with the other 
ciphertext C\ That is, the eighth embodiment is 
effective for preventing an impersonation attack. 

By using this embodiment, because the same 
key K can be securely sent to a plurality of receiv- 
ers. Thus, the same key K is shared among a 
group of three or more persons. For example, 
when a plurality of receivers 2, 3, — , k exist for a 
single sender 1, the sender 1 can send the cipher- 
text C to the all receivers according to the proce- 
dure in which the message is sent to a receiver i (i 
= 2, 3, — , k) by using the public information Pi of 
the receiver i in the same manner as in the com- 
munication between two persons. In this case, be- 
cause the key K being common for all receivers 
can be sent, the procedure for encrypting the mes- 
sage M is performed only once. Therefore, the 



time-consuming procedure for encrypting the mes- 
sage M is reduced to 1/(k-1) compared with the 
procedure in which the key sharing between two 
persons is repeated ( k-1) times. 
5 Moreover, since the key-distribution-information 

depends on the ciphertext C, it is difficult for the 
receiver 2 to impersonate the sender 1 to send the 
other ciphertext C r to the other receiver 3 after the 
receiver 2 shares the key K among the group. 
w Though the eighth embodiment is described as 

to utilize the RSA crypto system, a new key dis- 
tribution is embodied in the same manner as in the 
eighth embodiment if a public key cryptosystem 
which can realize both confidentiality and the digital 
75 signature are given. 

To conclude, the sharing key is easily changed 
in all of the above embodiments as compared with 
the DH method. And, an impersonation attack can 
be prevented when the key is shared between two 
20 persons or among three or more persons, while the 
attack can be carried out by resending the mes- 
sage in the conventional method. 

The impersonation attack can be prevented 
even in a non real time communication by adopting 
25 some methods according to the present invention 
and in a real time communication by adopting the 
other methods according to the present invention, 
while the key is easily shared between two persons 
or among three or more persons. 
30 Having illustrated and described the principles 

of our invention in a preferred embodiment thereof, 
it should be readily apparent to those skilled in the 
art that the invention can be modified in arrange- 
ment and detail without departing from such princi- 
35 pies. We claim all modifications coming within the 
spirit and scope of the accompanying claims. 

Claims 

40 1. A cryptographic communication method, com- 
prising: 

carrying out cryptographic communication 
between a sending station (1A, 1B, 1C) and 
one or more receiving stations (2A, 2B f 2C) by 
45 using 

(1) a ciphertext (C) formed by encrypting a 
unit of sending information under the inter- 
vention of at least a cryptographic key (K) 
and 

so (2) key-distribution-information (Y) produced 

by using at least the ciphertext (C), receiv- 
ing station's public information (ID1, P1), 
and randomized information (r, rl) gener- 
ated in the sending station (1A, 1B, 1C). 

55 

2. A cryptographic communication method for 
carrying out cryptographic communication be- 
tween a sending station (1A, 1B, 1C) and one 
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or more receiving stations (2A, 2B, 2C) t com- 
prising: 

generating a ciphertext (C) in the sending 
station (1A) by encrypting a unit of sending 
information under the intervention of a cryp- 5 
tographic key (K) which is made based on a 
random number (r) made in the sending station 
(1A); 

generating key-distribution-information (Y) 
in the sending station (1A) from at least the 10 
ciphertext (C), one receiving station's public 
information (ID1, P1). and the random number 
(r); 

sending the ciphertext (C) and the key- 
distribution-information (Y) to the one receiving 75 
station (2A): 

restoring the cryptographic key (K) in the 
one receiving station (2A) by using at least the 
ciphertext (C), the received key-distribution-in- 
formation (Y), and secret information held in 20 
the one receiving station (2A); and 

decrypting the received ciphertext (C) in 
the receiving station (2A) under the interven- 
tion of the cryptographic key to obtain the 
plain text (M) sent by the sender. 25 

A cryptographic communication method for 
carrying out cryptographic communication be- 
tween a sending station (1 B) and one or more 
receiving stations (2B), comprising: 30 

generating a ciphertext (C) in the sending 
station (1B) by encrypting the sending informa- 
tion under the intervention of a cryptographic 
key (K) which is produced based on a first 
random number made in the sending station 35 
<1B); 

generating a key-distribution-information 
(Y) in the sending station (1B) from at least 
public information in one receiving station (2B), 
the first random number (r1), and a second 40 
random number (r2) which is made in the one 
receiving station (2B) and sent to the sending 
station (1 B); 

sending the ciphertext (C) and the key- 
distribution-information (Y) to the one receiving 45 
station (2B); 

restoring the cryptographic key (K) in the 
one receiving station (2B) by using at least the 
received key-distribution-information (Y), secret 
information (SK) held in the one receiving sta- 50 
tion (2B), and the second random number (r1); 
and 

decrypting the received ciphertext (C) in 
the one receiving station (2B) under the inter- 
vention of the cryptographic key (K) to obtain 55 
the plain sending information (M). 

A cryptographic communication method for 



carrying out a cryptographic communication 
between a sending station (1C) and one or 
more receiving stations (2C). comprising: 

generating key-distribution-information (Y) 
in the sending station (1C) from at least the 
public information in one receiving station (2C), 
a first random number (rl) generated in the 
sending station (1C) f and time information (t) 
provided by a clock (18C) in the sending sta- 
tion (1C); 

sending the key-distribution-information (Y) 
and the time information (t); and 

restoring a cryptographic key (K) in the 
one receiving station (2C) from the received 
key-distribution-information (Y) by using at 
least secret information (SK) held in the one 
receiving station (2C) f and the received time 
information (t). 

5. A cryptographic communication device for; 

carrying out cryptographic communication 
among a plurality of stations interconnected 
through a communication network; 

generating a pair of public and secret in- 
formation to each station; and 

distributing encrypted sending information 
by using the public and secret information 
from a sending station (1A) to one or more 
receiving stations (2A) among several stations, 
comprising: 

random number generation means (11 A) 
for generating random numbers in a sending 
station (1A t 1B, 1C); 

key-distribution-information production 
means (13A) for producing key-distribution-in- 
formation (Y) from at least the public informa- 
tion relating to a receiving station (2A), a ran- 
dom number (r) generated in the random num- 
ber generation means (11 A), and the sending 
information from the sending station (1A); 

key information production means (15A) 
for producing key information (K) generated by 
the random number (r) generated in the ran- 
dom number generation means (11 A) in the 
sending station (1A); 

encryption means (17A) for encrypting the 
sending information by using the key informa- 
tion (K) generated in the key information pro- 
duction means (15A) in the sending station 
OA); 

key information restoration means (25 A) 
for restoring the key information in the receiv- 
ing station (2A) recovered from the key- 
distribution-information (Y) produced in the 
key-distrrbution-information production means 
by using the encrypted sending information (C) 
and the secret information (SK) of the receiving 
station (2A); and 
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decrypting means (27A) for decrypting the 
encrypted sending information in the receiving 
station (2A) by using the key information re- 
stored in the key information restoration means 
(25A). 5 

6. A cryptographic communication device for car- 
rying out cryptographic communication among 
a plurality of stations interconnected through a 
communication network, generating public in- 10 
formation and secret information corresponding 
to the public information in each station, and 
distributing encrypted sending information by 
using the public and secret information from a 
sending station (1B) to one or more receiving ;s 
stations (2B) among stations, comprising: 

first random number generation means 
(11B) for generating first random numbers (r1) 
in a sending station (1B); 

key-distribution-information production 20 
means (13B) for producing key-distribution-in- 
formation (Y) from at least a first random num- 
ber (r1) generated in the first random number 
generation means (1 1 B) and a second random 
number (r2); 25 

key information production means (15B) 
for producing key information (K) generated by 
the first random number (r1) generated in the 
first random number generation means in the 
sending station (1 B); 30 

encryption means (17B) for encrypting the 
sending information by using the key informa- 
tion (K) generated in the key information pro- 
duction means (15B) in the sending station 
(1B); 35 

second random number generation means 
(21 B) for generating second random numbers 
(r2) in a receiving station (2B); 

key information restoration means (25B) 
for restoring the key information, in the receiv- 40 
ing station (2B) from the key-distribution-in- 
formation (Y) produced in the key-distribution- 
information production means (13B) by using 
the second random number (r2) generated in 
the second random number generation means 45 
(21 B) and the secret information (SK) of the 
receiving station (2B); and 

decrypting means (27B) for decrypting the 
encrypted sending information in the receiving 
station (2B) by using the key information (K) 50 
crestored in the key information restoration 
means (25B). 



to the public information in each station, and 
distributing encrypted sending information by 
using the public and secret information from a 
sending station (1C) to one or more receiving 
stations (2C) among stations, comprising: 

random number generation means (11 C) 
for generating random numbers (r1) in the 
sending station (11); 

a clock (18C) for generating time informa- 
tion (t), the time information (t) informing a 
sending time of the sending information; 

key-distribution -information production 
means (13C) for producing key-distribution-in- 
formation (Y) from at least a random number 
(r1) generated in the random number genera- 
tion means (11C), the time information (t) gen- 
erated in the clock (18C), and the public in- 
formation of a receiving station (2C); 

key information production means (15C) 
for producing key information (K) generated by 
the random number (r1) generated in the ran- 
dom number generation means <1 1 C) in the 
sending station (1C); 

key information restoration means (25C) 
for restoring the key information (K) in the 
receiving station (2C) from the key-distribution- 
information (Y) produced in the key- 
distribution-information production means 
(13C) by using the time information (t) gen- 
erated in the clock (18C) and the secret in- 
formation (SK) of the receiving station (2C). 



7. A cryptographic communication device for car- 
rying out cryptographic communication among 55 
a plurality of stations interconnected through 
one communication line, generating public in- 
formation and secret information corresponding 
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